KQL query to retrieve list of servers which are running metricbeat

Sergius92 · January 6, 2021, 12:04pm

Hello,

I am trying to retrieve the list of servers which are running metricbeat.
At this moment I have build an query but I don't know how to get the output with every host.name and the number of hits in the last minute.

Can someone please take a look?

GET metricbeat-7.6.2/_search?size=0
{
  "aggs": {
    "hosts_count": {
      "value_count": {
        "field": "host.name"
      }
    }
  },
  "query": {
    "bool": {
      "must": {
        "range": {
          "@timestamp":{"gt": "now-1m"}
        }}
    }
  }
}

aaron-nimocks · January 6, 2021, 12:29pm

Welcome to the community @Sergius92

Remove size=0 or change to how many results you want. If you remove it then it will default to 10 results.

That paramenter effects how many results are returned for your query but doesn't effect the aggs. You should be seeing the aggs in the output though.

Sergius92 · January 6, 2021, 1:26pm

Thanks a lot for your hint. I am quite new into KQL and I don't know all the features available.
I've removed it but now I have all the informations available.
Can I filter somehow to see only the desired result?

I want to have something like:
Host1_name
host1_count: 2

host2_name
host2_count:150

And so on.

Thanks a lot in advance.

aaron-nimocks · January 6, 2021, 2:23pm

Think I got it. Try below but if you don't see any results bump the 1 minute to a higher number to see if it works.

GET metricbeat-7.6.2/_search
{
  "size": 0,
  "query": {
    "range": {
      "@timestamp": {
        "gte": "now-1m",
        "lt": "now"
      }
    }
  },
  "aggs": {
    "by_host": {
      "terms": {
        "field": "host.name"
      }
    }
  }
}

Sergius92 · January 7, 2021, 9:11am

Thank a lot @aaron-nimocks !

I've managed finally to make my output as I wanted thanks to your help.
If someone is interested in this topic I will add the query here and the output:

GET metricbeat-7.6.2/_search?
{
  "size": 0,
  "query": {
    "range": {
      "@timestamp": {
        "gte": "now-1m",
        "lt": "now"
      }
    }
  },
  "aggs": {
    "by_host": {
      "terms": {
        "field": "host.name",
        "size": 10000
        , "order": {
          "_key": "asc"
        }
      }
    }
  }
}

OUTPUT

{
  "took" : 6,
  "timed_out" : false,
  "_shards" : {
    "total" : 10,
    "successful" : 10,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 10000,
      "relation" : "gte"
    },
    "max_score" : null,
    "hits" : [ ]
  },
  "aggregations" : {
    "by_host" : {
      "doc_count_error_upper_bound" : 0,
      "sum_other_doc_count" : 0,
      "buckets" : [
        {
          "key" : "hostn03",
          "doc_count" : 197
        },
        {
          "key" : "hostn04",
          "doc_count" : 195
        },
        {
          "key" : "hostn05",
          "doc_count" : 208
        },
        {
          "key" : "hostn06",
          "doc_count" : 204
        },
        {
          "key" : "hostn07",
          "doc_count" : 196
        }
.............................

system · February 4, 2021, 9:11am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.